tcpdump notes

12 Nov 2007


tcpdump host and (port 20 or port 21)
tcpdump host and not arp
tcpdump -s0 -w foo -i eth0 # whole packet not 96 bytes, write to file foo, listen on eth0)
tcpdump -s 0 -i eth6 -w snmpget.pcap host and port 161 # capture snmp traffic

Three Way Handshake (from


  1. The initiating host (client) sends a synchronization packet (SYN flag set to 1) to initiate a connection. It sets the packet’s sequence number to a random value x.
  2. The other host receives the packet, records the sequence number x from the client, and replies with an acknowledgment and synchronization (SYN-ACK). The Acknowledgment is a 32-bit field in TCP segment header. It contains the next sequence number that this host is expecting to receive (x + 1). The host also initiates a return session. This includes a TCP segment with its own initial Sequence Number of value y.
  3. The initiating host responds with the next Sequence Number (x + 1) and a simple Acknowledgment Number value of y + 1, which is the Sequence Number value of the other host + 1.

This ssh example:

soniah.local.36126 > S 4193395019:4193395019(0)
win 5840 > soniah.local.36126: S 4235467031:4235467031(0)
ack 4193395020 win 5792

soniah.local.36126 > . ack 1 win 92

The first line contains a SYN (S) followed by a sequence number of .19. The second line contains a SYN S followed by an ack incremented by 1 to .20. The third line contains an ack, but tcpdump has renumbered it to 1 to make the subsequent packets easier to follow.

comments powered by Disqus

  « Previous: Next: »